President Bush Signs into Law OPEN Government Act. On Monday, December 31, 2007, the President signed into law S. 2488, the Openness Promotes Effectiveness in our National Government Act of 2007, which amends the Freedom of Information Act (FOIA) by: (1) establishing a definition of "a representative of the news media;" (2) directing that required attorney fees be paid from an agency's own appropriation rather than from the Judgment Fund; (3) prohibiting an agency from assessing certain fees if it fails to comply with FOIA deadlines; and (4) establishing an Office of Government Information Services in the National Archives and Records Administration to review agency compliance with FOIA. Senator Patrick Leahy (D-VT) led the effort in Congress to enact the new open government law with the support of the Open the Government coalition. EPIC publishes Litigation Under the Federal Open Government Laws. (Dec. 31)

EPIC - "Federal Trade Commission failed to address the privacy implications of the Google-Doubleclick Merger". In a detailed statement issued today, EPIC said that the unique circumstances of the online advertising industry required the FTC to impose privacy safeguards as a condition of the Google- Doubleclick merger. EPIC said that the FTC "had reason to act and authority to act, and failed to do so." EPIC pointed out that the Commission ignored similar assessments from leaders in Congress and consumer protection agencies. EPIC said it would vigorously pursue Freedom of Information Act requests regarding the role of the Jones Day law firm in the merger review. EPIC concluded that the FTC's decision "does not end the discussion about competition and privacy protection in the context of merger review. Consumers around the world will be impacted by the business practices of the combined entity, and the consequences will have to be addressed." Attention turns next to a hearing before the European Parliament on January 21. EPIC has been invited to testify. (Dec. 20)

Commission Allows Google-Doubleclick Merger Without Conditions. In a 4-1 opinion, the Federal Trade Commission has approved the $3.1b Google-Doubleclick deal, saying that the proposed acquisition is "Unlikely to lessen competition." Commissioner Harbour dissented from the decision, stating that "If the Commission closes its investigation at this time, without imposing any conditions on the merger, neither the competition nor the privacy interests of consumers will have been adequately addressed." Commissioner Leibowitz, in a concurring opinion, warned that "industry participants must stop being coy and start being more forthcoming about their practices, the consumer information they collect, and how they use it" and recommended the adoption of opt-in for online services. The unconditional approval comes as a surprise following the earlier "Second Request" by the Commission which has historically indicated an intent to block a merger or impose conditions as a requirement for merger approval. EPIC and CDD have raised far-reaching objections to the merger. EPIC Statement. (Dec. 20).

EPIC, Privacy Groups Urge Ask.com to Fix Ask Eraser. In a letter to Ask.com, EPIC and several other privacy organizations have asked CEO Jim Lazone to change Ask Eraser, a new search tool that the company says "will offer its searchers unmatched control over their privacy." After a study of the search product, EPIC found that Ask Eraser (1) requires an opt-out cookie, (2) creates a quasi-unique identifier, and (3) will be disabled without notice. All three attributes create substantial privacy risks for Internet users. (Dec. 20)

EPIC Testifies in Congress on Data Breach Legislation. EPIC Assocate Director Lillie Coney testified before the House Judiciary Committee on H.R. 4175, the Privacy and Cybercrime Enforcement Act. The bill would strengthen penalties for identity theft, require notices for security breaches, and establish privacy impact assessments for federal rulemakings. EPIC supported the legislation, noting that it did not preempt stronger state laws, and recommended that the bill address emerging technologies for identification. For more, see EPIC's page on Identity Theft. (Dec. 18)

New Procedure for Handling WHOIS Conflicts with Privacy Law Proposed. The Internet Corporation for Assigned Names and Numbers (ICANN) has posted a notice of implementation of its revised Procedure for Handling WHOIS Conflicts with Privacy Law. The procedure will be posted for 30 days, and is planned for implementation in January 2008. The procedure describes how ICANN will respond to a situation where a registrar or registry indicates that it is legally prevented by local or national privacy laws or regulations from complying with the provisions of its ICANN contract regarding the collection, display and distribution of personal data in the WHOIS database. EPIC has pointed out in comments and publications how current WHOIS policies conflict with national privacy laws. For more information, see EPIC's page on WHOIS privacy. (Dec. 19)

Congress Passes OPEN Government Act. Congress has passed legislation that would amend the Freedom of Information Act for the first time in a decade. The OPEN Government Act would impose meaningful deadlines on agencies handling information requests, establish a FOIA hotline, bring government records held by private contractors into full public view, create a FOIA Ombudsman, and allow agencies to waive FOIA fees for freelance journalists and bloggers. The bill also reverses a presumption against disclosure that was created by an order of former Attorney General John Ashcroft. Senator Patrick Leahy led the efforts to enact the new open government law. For more information, see EPIC's FOIA Notes and Litigation Under the Federal Open Government Laws. (Dec. 19)

Spotlight: 'Enhanced' Licenses Drive Backwards on Security, Privacy. EPIC's Spotlight on Surveillance Project turns to Homeland Security's plan to transform several states' driver's licenses into federal identification cards, so-called "enhanced" driver's licenses. The proposed cards would cost more more than current licenses, transmit data to remote readers, and contain citizenship status. The Government Accountability Office recommended (pdf) against RFID chips in ID cards, stating that this could allow for the "tracking and profiling" of individuals. Spotlight on Surveillance report. (Dec. 19)

EPIC Urges Against Camera Surveillance At DHS Privacy Workshop. At a Department of Homeland Security workshop, EPIC recommended against the creation of camera surveillance systems (also known as "CCTV"), stating that studies have shown the systems do not significantly violent crime and that less expensive technology, such as improved lighting and motion sensors, are more effective. EPIC Senior Counsel Melissa Ngo said, if communities do decide to install CCTV systems, then fair information practices including minimization of data collection, retention, use and distribution, openness of process, and public access to and correction of records, stringent security safeguards, and accountability. See Observing Surveillance and EPIC's Video Surveillance page. (Dec. 18)

EPIC, ACLU Demand Disclosure of Memos Justifying Illegal Spying. Today EPIC and other civil liberties groups filed court papers to obtain documents related to the President's warrantless surveillance program. In December 2005, immediately following a New York Times report on the program, EPIC requested the legal opinions and related documents that were prepared to justify and monitor the program. The American Civil Liberties Union and the National Security Archive also submitted FOIA requests. Nearly two years after the initial disclosure of the program, the groups ask that the court deny the government's request to dismiss the case, and instead review the documents in private, releasing those that the law entitles the public to view. The case is EPIC v. Department of Justice, No. 06-cv-0096 (HHK). For more, see EPIC's page on Warrantless Surveillance FOIAs. (Dec. 18)

FTC Chair Dismisses Recusal Petition in Jones Day-Doubleclick Conflict of Interest Case, EPIC Files Expedited Open Government Request. FTC Chairman Deborah Majoras has refused to step down in the Commission's review of the Google-Doubleclick merger even though it was revealed this week that her husband's law firm is representing Doubleclick. EPIC and the Center for Digital Democracy have issued a statement. EPIC has also submitted a detailed Freedom of Information Act request seeking the expedited release of all documents concerning the participation of Jones Day in the Commission's review of Doubleclick as well as other matters involving consumer privacy. (Dec. 15)

EPIC, CDD Raise New Questions About FTC Chair's Possible Conflict of Interest. Today EPIC and the Center for Digital Democracy provided new information to the Federal Trade Commission concerning Jones Day's representation of Doubleclick in the pending merger review. The new filing makes clear that statements denying Jones Day participation in the matter are flatly contradicted by an earlier posting on the firm's web site. The EPIC/CDD filing also notes that the firm has subsequently removed the relevant web pages from its web site. The groups are filing a Freedom of Information Act request for all documents at the Commission regarding the matter and notifying Congressional oversight committees. See EPIC's page on Privacy? Proposed Google-DoubleClick merger. (Dec. 13)

International Human Rights Day - Privacy is a Fundamental Right. December 10, International Human Rights Day, commemorates the 1948 adoption of the Universal Declaration of Human Rights. Human Rights Day 2007 marks the start of a year-long commemoration of the 60th anniversary of the Declaration. The document is the foundation of international human rights law, the first universal statement on the basic principles of inalienable human rights, and a common standard of achievement for all peoples and all nations. Article 12 of the Declaration includes privacy as a fundamental human right. The EPIC Privacy Law Sourcebook contains the complete Universal Declaration of Human Rights. For more information, watch this video. (Dec. 10)

Facebook Announces Beacon Opt-out, Promises Not To Retain Data. Social networking site Facebook announced that users would be able to globally opt-out of the "Beacon" advertising system. Beacon collects information on interactions with third party sites such as Fandango and Ebay. Beacon then broadcasts this information to a user's Facebook friends. Security researchers recently revealed that Beacon collects information on all users of those third party sites, not just Facebook members. Facebook's announcement promises that they will not keep or use this information on non-members and those who have opted out. For more see EPIC's page on Social Networking Privacy. (Dec. 4)

Homeland Security to Require 10 Fingerprints from US Visitors Under border control system US-VISIT, the Department of Homeland Security will begin collecting a full set of fingerprints from foreign visitors to the U.S. Since 2004, US-VISIT has only required two-print collection. The database now includes 90 million sets of prints. EPIC has said that the system lacks adequate privacy and security safeguards. For more information, see EPIC's pages on US-VISIT and Biometrics. (Dec. 3)

Facebook Caves to Privacy Demands, Adopts Limited Opt-In. Social networking site Facebook.com significantly modified the privacy features of its new "Beacon" advertising system. Facebook users found their purchases on third party sites were being broadcast to their Facebook friends. Users had only limited options for opting out of the broadcast. In response to complaints from EPIC, the Center for Digital Democracy, Moveon.org, and thousands of users, Facebook will now ask that users opt-in before broadcasting their details. Facebook will continue to collect information from third party sites and will continue to ask for opt-ins until the user consents. For more information, see EPIC's page on Social Networking Privacy. (Nov. 30)

EPIC, Experts Urge Supreme Court to Strike Down Indiana Voter Photo ID Law. In a "friend-of-the-court" brief (pdf) filed today, EPIC and 10 legal scholars and technical experts urged the U.S. Supreme Court to invalidate an Indiana law requiring individuals to show a government-issued photo ID card before allowing them to vote. "Not only has the state failed to establish the need for the voter identification law or to address the disparate impact of the law, the state's voter ID system is imperfect, and relies on a flawed federal identification system," called REAL ID, they said. For more information, see EPIC's page concerning the case and the National Committee for Voting Integrity. (Nov. 13)

Republicans Seek Privacy Hearing on Google-DoubleClick Merger. A dozen Republican members of the House Subcommittee on Commerce, Trade and Consumer Protection have requested a hearing into the privacy aspects of the proposed Google-DoubleClick merger. In a letter(pdf), the members stated that the privacy implications of the merger "are enormous" and a hearing is needed to understand how consumers' information is used and what can be done to better protect consumer privacy. In complaints (pdf) to the FTC, EPIC, the Center for Digital Democracy and US PIRG have detailed the reasons why the FTC needs to establish substantial privacy safeguards as a condition of the merger. EPIC previously testified (pdf) about the proposed merger before the Senate Judiciary Committee. For more information, see EPIC's page on Privacy? Proposed Google/DoubleClick Deal. (Nov. 7)

EPIC Calls for Whois Privacy. In a letter(pdf) to the Internet Corporation for Assigned Names and Numbers (ICANN), EPIC endorsed the Whois Working Group's efforts to reach resolution on a seven-year attempt to reform Whois policy. The proposal currently being discussed would remove registrants' mailing addresses, phone and fax numbers and email addresses from the publicly available WHOIS database. EPIC previously submitted comments to ICANN supporting this proposal to limit access to registrants' information. EPIC stated that the Operational Point of Contact proposal, while not ideal from a privacy perspective, appears workable and would address the main concerns of the various stakeholders. EPIC suggested that if the proposal does not move forward, then the Board should sunset the Whois database. Thirty other groups and individuals endorsed EPIC's letter to the ICANN Board. For more information see EPIC's page on Whois. (Oct. 31)

EPIC Urges Congress to Monitor Google-Doubleclick Review. In a letter (pdf) to the Congressional Committee that funds the Federal Trade Commission, EPIC urged oversight of the Commission's review of the pending Google-Doubleclick merger. In complaints (pdf) to the FTC, EPIC, the Center for Digital Democracy and US PIRG have detailed the reasons why the FTC needs to establish substantial privacy safeguards as a condition of the merger. If the FTC fails to do so, "we believe there should be a comprehensive investigation of the factors that led to the FTC's decision," EPIC said. See EPIC's page on Privacy? Proposed Google/DoubleClick Deal. (Oct. 26)

TSA Broadens Use of 'Backscatter X-Ray' Machines That Conduct 'Virtual Strip Searches'. The Transportation Security Administration is expanding the use of "backscatter X-ray" systems for passenger screening. The $100,000 refrigerator-size machines use "backscatter" technology, which bounces low-radiation X-rays off of a passenger to produce photo-quality images of travelers as if they were undressed. Computer processing partially obscures the image that is available to operators. TSA states that the agency will delete the raw images, but there is no law or regulation that prevents the agency from saving the original, detailed images. Until there is such a prohibition, EPIC believes funding for the program should be suspended. See EPIC's Spotlight on Surveillance and page on Backscatter X-ray. (Oct. 11)

Federal Court Temporarily Blocks New Government Rule on Employment Eligibility Verification. A federal judge today issued a temporary restraining order (pdf) to stop the Homeland Security agency from enforcing a new rule for its employment eligibility verification system (now called "E-Verify") requiring employers to fire employees if they are unable to resolve "no match" discrepancies within 90 days. The federal government is restricted from issuing 140,000 "no match" letters to employers, which would affect about 8 million workers nationwide. The federal government also is battling Illinois over E-Verify, filing suit (pdf) in a federal court seeking to block a new Illinois law that prohibits employers from using the system until the federal databases it uses can be certified as 99 percent accurate. EPIC has testified (pdf) about the myriad security and privacy problems inherent in the E-Verify system. See EPIC's SSN page and Spotlight on Surveillance on E-Verify. (Oct. 10)

Congress Opens Investigation Into Warrantless Surveillance. The House Committee on Energy and Commerce has launched an investigation into the National Security Agency's domestic warrantless wiretapping program and the involvement of the telephone companies. "Congress has a duty to determine what occurred and also to examine the difficult position of the phone companies who may have been asked by the government to violate the privacy of their customers without the assurance of liability protections," said Committee Chairman John Dingell. Last year, EPIC joined almost 40 organizations in a statement (pdf) urging the Committee to investigate the program's possible violations of the privacy provisions of the Communications Act. See EPIC's Resources on Domestic Surveillance and FISA. (Oct. 4)

Washington DC Release of Privacy and Human Rights Report. On Friday, October 5, EPIC will release the new edition of "Privacy and Human Rights" at the National Press Club. The international survey of international privacy laws and developments tracks new challenges to privacy as well as public opposition to systems of surveillance. A few examples of emerging issues include: the biometric identification of individuals in Iraq, the proliferation of surveillance systems in China, and global investigations into the proposed Google-DoubleClick merger. Guest speakers at the event include UCLA Law Professor Jerry Kang and Sophie In't Veld, a member of the European Parliament. (Oct. 4)

EPIC Welcomes New Advisory Board Members. Experts in communications policy, software architecture, voter identification, open government, and systems of surveillance have joined the EPIC Advisory Board. Annie Anton, David Banisar, Charles Firestone, Pablo Molina, Spencer Overton, Ray Ozzie, Jeffrey Rosen, and Latanya Sweeney were welcomed by EPIC Executive Director Marc Rotenberg and EPIC Board Chair Deborah Hurley. "These leaders are the architects of our common future, as they raise the questions and devise the solutions to the most compelling economic and social issues of our era," Hurley said. See EPIC's Advisory Board page. (Oct. 3)

Spotlight: Secure Flight Should Remain Grounded. EPIC's Spotlight on Surveillance project focuses on the Secure Flight traveler prescreening program. Introduced in 2004, the Secure Flight has been roundly criticized (pdf) and the system was suspended in 2006, because it contained massive security and privacy vulnerabilities. Though Secure Flight has been revamped, it remains fundamentally flawed. The core of the program rests on watch lists so full of errors that the Department of Justice's Inspector General (pdf) has suggested that there is "a deficiency in the integrity of watchlist information." EPIC's Spotlight on Surveillance on Secure Flight. (Sept. 28)

EPIC Releases Global Privacy Report At a conference in Montreal with privacy commissioners, experts, and advocates from around the world, EPIC presented the new edition of"Privacy and Human Rights." The international survey of international privacy laws and developments tracks new challenges to privacy as well as the public opposition to systems of surveillance. The Washington, DC release of Privacy and Human Rights will take place on Friday, October 5 at the National Press Club. (Sept. 28)

U.S. Sues Illinois for Passing Law Demanding Accuracy in Employment Eligibility System. The federal government has filed suit (pdf) in a federal district court seeking to block a new Illinois law, claiming it preempts federal law. However, the state law does not ban outright employer use of the voluntary employment eligibility verification system called E-Verify. Instead the Illinois law prohibits employers from using the system until the federal databases it uses can be certified as 99 percent accurate. Federal reviews have deemed (pdf) the system "seriously flawed in content and accuracy"; for example, the Social Security Administration database is estimated (pdf) to include 18 million incorrect records. See EPIC's SSN page and Spotlight on Surveillance on E-Verify. (Sept. 25)

EPIC Recommends Continued Suspension of Secure Flight Traveler Prescreening Program. In comments (pdf) to the Department of Homeland Security, EPIC urged the agency to either continue to suspend or significantly revise its system of records notice for the Secure Flight program. EPIC explained that the watch lists that Secure Flight used to screen passengers were so error-filled that the Department of Justice Inspector General indicated (pdf) "a deficiency in the integrity of watchlist information." Also the proposed redress procedures are "poor substitutes" for the Privacy Act's judicially enforceable rights of access and correction. DHS suspended Secure Flight in 2006 for a "comprehensive review." Though substantial changes have been made, the program is still full of problems, and EPIC recommended the agency continue Secure Flight's suspension until the problems can be addressed. See EPIC's Secure Flight page. (Sept. 24)

EPIC Testifies Before DHS Privacy Advisory Panel on Fusion Centers The Data Privacy and Integrity Advisory Committee of the Department of Homeland Security held a series of panel discussions on the topic of"information fusion centers." EPIC's statement to the committee made specific recommendations on the need to create accountability, oversight, and greater transparency on the work of fusion centers. So far DHS has awarded over $380 million in grants to local and state law enforcement to build 43 of the planned 70 interconnected computer networks. The domestic surveillance project is compiling, analyzing, and disseminating detailed personal information for intelligence and other purposes. DHS says it wants to use fusion centers to prevent terrorism, but local and state police want the centers to support their efforts to anticipate, identify, prevent, and/or monitor crime. See EPIC's page on Fusion Centers, and Spotlight on Surveillance. (Sept.19)

Cities Consider ID Cards for Undocumented Immigrants. San Francisco and New York are debating proposals to create city identification cards that would be available to any resident, regardless of citizenship status. Such cards would establish legal identity and residency and allow cardholders to access basic services such as banking, aid for the homeless and library access. In July, New Haven, Conn., began issuing the first such city-sponsored ID cards to undocumented immigrants. More than 1,500 people have applied for the New Haven cards. See EPIC's Page on National ID Cards and the REAL ID Act. (Sept. 18)

Google, Under Investigation for Violating Global Privacy Standards, Calls for New Global Privacy Standards. As Google faces opposition to the proposed acquisition of Doubleclick, Google's privacy counsel called for less restrictive global privacy standards. The company's current privacy practices are under investigation in many countries around the world, including the United States, Canada, Australia, and most of Europe. More information about international privacy standards is available in EPIC's Privacy Law Sourcebook. (Sept. 14)

EPIC Recommends Suspension of Secret Traveler Profiling Program. In comments (pdf) to the Department of Homeland Security, EPIC urged the agency to either suspend the Automated Targeting System or to fully apply all Privacy Act safeguards to any individual subject to ATS. The system creates secret, terrorist "risk assessments" on tens of millions of U.S. citizens and foreign visitors. This new rulemaking was in response to public criticism that arose from DHS's November 2006 rulemaking, where EPIC led a coalition (pdf) in condemning the terrorist "scoring" of US travelers. Though DHS has made some positive changes, the Automated Targeting System still assigns terrorist risk assessments that are secret and unreviewable and the agency is still seeking broad exemptions from the federal Privacy Act. See EPIC's page on the Automated Targeting System. (Sept. 6)

EPIC v. DOJ: Court Rejects Secrecy Claims in FOIA Case. A federal district court today ordered (pdf) the Department of Justice to be more forthcoming about the basis for withholding documents concerning the President's domestic surveillance program. In December 2005, immediately following the press report of the program, EPIC requested legal opinions and related documents that were prepared to justify and monitor the warrantless surveillance program. The American Civil Liberties Union and the National Security Archive also submitted FOIA requests. A federal court has now ruled in EPIC v. DOJ (pdf) that the Department of Justice's basis for withholding the documents were "too vague and general," and that the FBI's justifications, in particular, are "wholly inadequate." By October 12, the Department must provide far more detailed information to EPIC and the other plaintiffs. See EPIC's Warrantless Surveillance FOIA page. (Sept. 5)

New York City Taxi Drivers Strike Over GPS Tracking. The New York Taxi Workers Alliance is on strike to protest the city's requirement that Global Positioning Satellite (GPS) tracking systems be installed in all cabs. The city has announced a contingency plan that includes a zone-based fare structure, allowing nonstriking drivers to charge passengers more. Last year, Philadelphia cab drivers went on strike to protest a similar plan by the Philadelphia Parking Authority. The mandatory GPS requirement will allow the city to track all cabs and cab drivers. For more information, see Privacy and Human Rights 2005 on satellite surveillance. (Sept. 5)

EPIC Urges Federal Trade Commission to Restrict Use of SSN. In comments (pdf) to the Federal Trade Commission, EPIC urged the Commission to create regulations to limit the use of the Social Security number, but those restrictions should "not limit the ability of the states to develop better safeguards." In Congressional testimony (pdf) and previous comments (pdf), EPIC has consistently called for more restrictions on SSN use and recommended the creation of context-dependent identifiers "that will encourage the development of more robust systems for identification that safeguard privacy and security." See EPIC's SSN page. (Sept. 5)

Secrecy Report Card 2007: Report Finds Expanded Government Secrecy.OpenTheGovernment.org has released its fourth annual Secrecy Report Card 2007 (pdf) which looks at trends in public access to information. The report shows an unprecedented level of restriction of access to information about federal government's policies and decisions. The 2007 report offers updated numbers on presidential signing statements and invocations of the "state secrets" privilege, and information about restrictive laws introduced/passed in the states. For more information, see EPIC's FOIA page. (Sept. 1)

Spotlight: Employment Verification Database Gets Name Change, But Problems Remain as Federal Agency Pushes Forward This month, Spotlight turns to the Department of Homeland Security's employment eligibility verification system, which the agency hoped would encompass 6 million employers and 143.6 million workers nationwide. But Congress rejected such legislation, so DHS is now moving the system ahead through administrative regulation. Renamed "E-Verify," DHS will require more than 200,000 federal contractors to check the agency databases before hiring employees. DHS also will require employers to fire employees if they are unable to resolve "no match" discrepancies within 90 days. See EPIC's Spotlight on Surveillance project. (Aug. 31)

EPIC Urges Appellate Court to Consider Substantial Privacy Interest in De-Identified Patient Data. EPIC and 16 experts in privacy and technology today filed a "friend of the court" brief (pdf) in a case concerning a New Hampshire state law banning the sale of prescribe-identifiable prescription drug data for marketing purposes. The experts urged the First Circuit Court of Appealsto reverse the ruling (pdf) of the lower court, which held that the NH Prescription Confidentiality Act violated the free speech rights of data mining companies. The experts said the lower court should be reversed because there is a substantial privacy interest in de-identified patient data that the lower court failed to consider. This privacy interest, in part flows from the reality that data may not be, in fact, truly de-identified, and also because de-identified data does impact actual individuals. See EPIC's IMS Health v. Ayotte page. (Aug. 20)

Iraq Biometric Database Could Become a "Hit List," Acknowledges Defense Dept. Program Officer The biometrics program manager in Iraq this week expressed concern that the database containing biometrics and secret files on thousand of Iraqis could "become a hit list if it gets in the wrong hands." According to Lt. Col. Velliquette, the Iraqi system has approximately 750,000 records in its database. Earlier, EPIC, Privacy International, and Human Rights Watch wrote to the US Defense Secretary to warn that the system will lead to reprisals and further killings. For more information, see Transcript of "The Role of Biometrics in Counterinsurgency," blogs at Harpers and Wired, and the EPIC "Iraq Biometric Identification System" page. (Aug. 17)

EPIC Urges FCC to Protect Location Privacy. In comments to the Federal Communications Commission (FCC) on proposed rules for Enhanced 911 location information, EPIC recommended enhanced privacy safeguards. Wireless telephone providers are required to meet certain standards for location accuracy. The FCC requested comments on location accuracy standards as well as extending rules to VOIP services. EPIC reminded the FCC that current privacy rules do not adequately protect location information. EPIC proposed that as location technology improves, so should privacy protection. EPIC also said that there should be consistent privacy rules for both VOIP and other communications services. For more information on telephone privacy see EPIC's Customer Proprietary Network Information page. (Aug.10)

DHS Revamps Secure Flight Program. More than a year after Secure Flight was suspended for a comprehensive review, the Department of Homeland Security has announced major revisions to the program. Previously, DHS sought to use Secure Flight to assess possibilities for criminal behavior from travelers. The new program will "determine if passenger data matches the information on government watch lists, and transmit matching results to aircraft operators," according to DHS. Currently, the airlines run passenger names against the watchlists. Secure Flight was grounded in February 2006 after government investigations (pdf) found numerous security and privacy vulnerabilities. There are ongoing concerns about the secrecy and accuracy of watchlists and adequacy of redress procedures. See EPIC's Secure Flight page and Spotlight on Surveillance on the Traveler Redress Inquiry Program. (Aug. 9)

DHS Announces New Rulemaking for Automated Targeting System. In response to a November rulemaking, DHS has made changes to the Automated Targeting System, a federal database that created secret, terrorist ratings on tens of millions of American citizens. Some positive changes include a significant reduction in the data retention period and the elimination of a routine use that was unnecessary and far too broad. However, there remain many of the security and privacy risks outlined in comments (pdf) previously filed by EPIC, 29 organizations and 16 privacy and technology experts that urged the agency to suspend the program and to fully enforce Privacy Act obligations. Comments on this new rulemaking are due on September 5. See EPIC's Automated Targeting System page. (Aug. 7)

Congress Enacts Sweeping Changes to Federal Wiretap Laws. Following a frantic, week-long push by the White House to expand domestic spying and reduce judicial oversight, the Congress passed amendments to the Foreign Intelligence Surveillance Act that will permit warrantless surveillance of American citizens when one party to the conversation may be outside of the United States. It is the most dramatic change in the 30 year history of the FISA and will leave millions of Americans subject to electronic surveillance, without court review, regardless of whether they are suspected of any wrongdoing. However, the amendments will sunset in 180 days, which will provide an opportunity for further debate in Congress. More background at EPIC Resources on Domestic Surveillance. (Aug. 6)

Border Security Computer System Plagued With Problems. The border control system US-VISIT is riddled with security vulnerabilities, according to a report (pdf) from the Government Accountability Office. "Weaknesses existed in all control areas and computing device types reviewed," the GAO said this week. Security flaws in the network used at 400 entry points nationwide increase the risk of theft or manipulation of tens of millions of identity records, which include passport, visa, Social Security and biometric data. EPIC has repeatedly criticized (pdf) many security and privacy flaws in the US-VISIT system. See EPIC's US-VISIT page. (Aug. 4)

EPIC Warns Federal Agencies About RFID in US Travel Cards. In comments (pdf) to the State Department and Homeland Security, EPIC recommended against the use of "long-range" RFID technology (which transmits personal data to remote tracking devices) in the proposed "PASS card" for travel between the United States, Canada, Mexico, and the Caribbean. EPIC explained that the tracking technology would jeopardize the privacy and security of US travelers. Earlier this year, Homeland Security abandoned (pdf) a similar proposal for US-VISIT travel documents, following comments from EPIC (pdf) and the Government Accountability Office (pdf). See EPIC's pages on RFID and US-VISIT. (Aug. 1)

"Congress is legislating in the dark. Lawmakers need more information before OKing Bush surveillance program". A 2006 EPIC essay for MSNBC addresses the current White House push for new domestic spying power. From the conclusion: "Surveillance and secrecy are a dangerous mix for democratic government. . . . The Congress that created the federal wiretap laws understood this. It will be interesting to see whether the Congress that is considering changes to those laws remembers that surveillance without oversight provides neither privacy nor security." (Aug 1)

Human Rights Organizations Urge US Secretary of Defense to Investigate Biometric Database of Iraqis. In a letter to Secretary of Defense Robert Gates, EPIC, Privacy International, and Human Rights Watch warn that a new system of biometric identification contravenes international privacy standards and could lead to further reprisals and killings. The groups cite the particular risk of identification requirements in regions of the world torn by ethnic and religious division. The groups also note a 2007 report from the Pentagon's Defense Science Board that said military use of biometric data raise substantial privacy concerns. For more information, see EPIC Iraqi Biometric Identification System page and Privacy International ID Card page. (July 27)

Comprehensive Medical Privacy Bill Introduced in Congress. The Health Information Privacy and Security Act of 2007 (HIPSA), was introduced in the Senate last week. The bill requires that organizations that store health information electronically notify individuals of their privacy practices and establish adequate safeguards to prevent security breaches, or face civil penalties. The bill provides individuals the right to access their health data, prohibits the use of health data without patient authorization and requires de-identification of individually identifiable health data used for research purposes. The bill also establishes a health information privacy department within the Department of Health and Human Services that will provide consumers with privacy rights information. For more information, see EPIC's Medical Privacy page. (July 26)

Spotlight on "National Network" of Fusion Centers. EPIC's current Spotlight on Surveillance reviews "fusion centers," data sharing entities that acquire information from many sources, including private sector firms and anonymous tipsters. The Department of Homeland Security is seeking to create a national network of local and state fusion centers. The federal agency has provided more than $380 million to state and local governments in support of these centers. The fusion center program gives DHS enormous domestic surveillance powers. Spotlight on Surveillance on Fusion Centers and EPIC's Fusion Centers page. (July 26)

EPIC Recommends Privacy Safeguards for Disaster Victims. In comments to the Department of Health and Human Services, EPIC urged the federal agency to establish effective privacy protections for the National Disaster Medical System (NDMS). The NDMS provides medical treatment and evacuation to disaster victims. The NDMS database will contain all the medical information gained and created during diagnosis and treatment, as well as track patient location. EPIC recommended that the federal agency clarify how it will comply with current medical privacy regulations such as the Health Insurance Portability and Accountability Act, medical ethics, and state laws regulating medical privacy. Further, EPIC proposed that patients be allowed to limit disclosure of their location, as some disclosures may place domestic violence survivors at risk. For more information, see EPIC's pages on Privacy and Domestic Violence and Medical Privacy. (July 26)

U.S. Military Builds Biometric Database on Iraqis. USA Today reports that U.S. troops are using mobile scanners to capture fingerprints, eye scans, and input other personal data from hundreds of thousands of Iraqis. Although General Patraeus has indicated that the purpose is to identity insurgents, U.S. troops are stopping Iraqis at homes, checkpoints, workplaces, and "In several neighborhoods in and around Baghdad, troops have gone door to door collecting data." A March report (pdf) from the Pentagon's Defense Science Board said military use of biometric data raise substantial privacy concerns. For a discussion of identity systems and threats to privacy, see "Privacy and Human Rights Report 2005." See also EPIC Biometrics page and Privacy International resources. (July 18)

Eleven Groups Urge FCC Not to Mandate Network Filters. EPIC joined Public Knowledge and nine other privacy and consumer rights groups in urging (pdf) the Federal Communications Commission against requiring broadband Internet Service Providers to use network filters on Web content. Last month, NBC requested (pdf) the FCC mandate such content suppression. The privacy and consumer rights groups explained, "Any attempt to use this technology to control what may be done on the Internet will have serious unintended consequences. Particularly, these technologies limit First Amendment freedoms, stifle innovation, threaten personal privacy, and do little to address the underlying problem." For more information, see EPIC's publication, "Filters & Freedom 2.0." (July 17)

New Report Reveals Increased Secrecy of US Government. A report by OpenTheGovernment.org and People For the American Way Foundation documents how, at a time when technology should enable government openness, the executive branch has limited public access to public information. According to "Government Secrecy: Decisions Without Democracy 2007" (pdf), President Bush has used executive orders to limit use of the Freedom of Information Act and Presidential Records Act, expanded the power to classify information for national security reasons, and created a range of new categories of "sensitive" information. In some cases, the government has gone so far as to reclassify documents that had been available to the general public for many years. For more information, see EPIC's FOIA page. (July 16)

EPIC and Consumer Coalition Urge FCC to Adopt Stronger Privacy Safeguards for Telephone Records. In comments (pdf) filed with the Federal Communications Commission, EPIC and a coalition of nine other privacy and consumer groups called for stronger safeguards for customers' telephone records. The Consumer Coalition recommended that the FCC establish comprehensive privacy rules that would require telephone companies to limit access to and retention of consumer call data, safeguard the data stored in mobile phones, and curtail delays of customer notification of security breaches. In response to a 2005 EPIC petition, the FCC earlier this month adopted new rules to strengthen the security of consumers' phone records and requested comments on additional security proposals. For more information, see EPIC's CPNI page. (July 9)

European Commission Opens Inquiry into Google/DoubleClick Merger. The European Commission Directorate on Competition will review Google's $3.1 billion merger with internet advertising company DoubleClick. The news comes a few days after European consumer group BEUC sent a letter (pdf) urging Commission to investigate the merger. The Article 29 Data Protection Working Party recently expanded (pdf) an investigation of Google's data retention policies to include the policies of all search engines. The U.S. Federal Trade Commission also is reviewing the merger. For more information, see EPIC's page on the Proposed Google/DoubleClick Merger. (July 6)

EPIC Urges Protection of Internet Subscriber Data. EPIC joined five groups in filing a "friend of the court" brief (pdf) in New Jersey v. Reid, an appeal to the state Supreme Court regarding an illegal subpoena to an Internet service provider demanding data on a subscriber. The lower court held (pdf) that subscribers have a reasonable expectation of "informational privacy," defined as "the ability to control the acquisition or release of information about oneself." In their brief, the groups urged the NJ Supreme Court uphold the ruling: "Like the ability to engage in phone calls confidentially from one's home, so too is the right to make confidential electronic communications from one's home computer deserving of protection." (July 6)

EU and US Reach Agreements on Data Sharing. The European Union and the United States have reached agreements on two forms of data sharing -- that of passenger travel records and of consumers' financial data. One agreement reduces the 34 pieces of data on passengers now collected by US law enforcement authorities to 19 data fields, including name, contact data, payment details, and itinerary information. In another agreement, the US will restrict use of any data received from banking consortium SWIFT exclusively for counter-terrorism purposes, and can retain the data for up to five years. In addition, the European Commission will appoint an "eminent European" who will conduct oversight of US use of SWIFT data. Last June, it was revealed that the US used broad, secret administrative subpoenas to review vast amounts of information from Belgium-based SWIFT, which routes financial data among 7,800 financial institutions in more than 200 countries. For more information, see EPIC's page on EU-US Airline Passenger Data Disclosure and the Spotlight on Surveillance on the SWIFT program. (June 29)

CIA Releases Report on Wiretapping, Surveillance from 1950s to 1970s. The CIA has released almost 700 pages of a "Family Jewels" report (27 MB pdf) detailing the agency's questionable activities from the 1950s to the 1970s. The report includes information on assassination plans, illegal wiretaps, a seven-year domestic surveillance operation, attempted break-ins, and the "unwitting" participation of civilians in behavioral modification studies. The agency released the documents in response to a Freedom of Information Act request filed 15 years ago by the National Security Archive at George Washington University, which posted a six-page summary (pdf) it had received in 2000. For more information, see EPIC's pages on Domestic Surveillance and Foreign Intelligence Surveillance Act. (June 27)

European Privacy Agency Expands Probe to All Search Engines. The Article 29 Data Protection Working Party has announced (pdf) that it will expand its initial investigation (pdf) into Google's privacy practices and specifically its retention of personal information. The Working Party will now review "search engines in general, and scrutinize their activities from a data protection point of view, because this issue affects an ever growing number of users." In response to the Working Party's investigation, earlier this month, Google said (pdf) that it will soon retain user data for a maximum of 18 months. The company previously announced that it would begin retaining user data for a maximum of 18 to 24 months, but the company continues to operate under its policy of retaining the information indefinitely. For more information, see EPIC's page on the Proposed Google/DoubleClick Deal. (June 22)

EPIC Testifies in Congress on Caller ID Spoofing. In testimony before the Senate Commerce Committee, EPIC staff counsel Allison Knight said that the Truth In Caller ID Act of 2007, S.704, as currently drafted does not distinguish between appropriate and inappropriate uses of caller ID spoofing. Caller ID spoofing occurs when a caller conceals his or her phone number and causes another number to appear on the call recipient's caller identification system. EPIC recommended that any ban on caller ID spoofing include an intent requirement, so that spoofing is only prohibited where a person "intends to defraud or cause harm." Further, EPIC opposed an exemption in the Bill provided to law enforcement. EPIC testified on similar legislation in the House earlier this year. (June 21)

EPIC Urges Limitations on SSN Use. In testimony (pdf) before the House Ways and Means Committee, EPIC Executive Director Marc Rotenberg urged Congress to adopt legislation to address the misuse of the SSN and the growing problem of identity theft. Citing a recent report (pdf) from the Federal Trade Commission that finds that identity is the number one concern of American consumers, EPIC called for "strong and effective legislation that will limit the use of the SSN" and context-dependent identifiers "that will encourage the development of more robust systems for identification that safeguard privacy and security." EPIC also criticized the President's Identity Theft Task Force for failing to make more aggressive recommendations regarding the SSN theft. See EPIC's SSN Page. (June 21)

FBI Issues Revised National Security Letter Guidelines. The FBI has sent to its field agents updated guidelines (pdf) for the use of National Security Letters (NSLs). These letters compel recipients to turn over data to the FBI without any judicial review. Documents obtained by EPIC under the Freedom of Information Act and an Inspector General's report (pdf) both revealed FBI misuse of NSL powers. Earlier this year, EPIC urged Congress (pdf) to repeal the Patriot Act provision that expanded the NSL power. For more, see EPIC's National Security Letters (NSLs) page. (June 13)

Google Cuts Retention Time, But Privacy Problems Remain. Google will cut the period that it retains user data from a maximum of 24 months to a maximum of 18 months, the company said in a letter (pdf) to the Article 29 Data Protection Working Party. Last month, the Working Party began to investigate (pdf) Google's privacy practices and asked whether the company has "fulfilled all the necessary requirements" to abide by EU privacy rules. In its letter, Google did not adequately explain why it needed to retain user data for 18 or 24 months, except to vaguely say that the data would help Google build new services, possibly help prevent fraud and abuse, and that the U.S. and EU member states might impose a 24-month retention requirement. Last week, Privacy International ranked Google's privacy policies dead last among 23 top Internet companies, including AOL and Microsoft. For more information see EPIC's pages on International Data Retention and Proposed Google/DoubleClick Merger. (June 12)

Google Ranks Dead Last on Privacy Among Top Net Companies, Privacy International Reports. In a report released Saturday, Privacy International assigned Google its lowest possible grade, finding the company's privacy practices are the worst among Internet service companies. Not one of the other 22 companies surveyed (including AOL, Microsoft and Yahoo) "comes close to achieving status as an endemic threat to privacy" as Google, said Privacy International. The group cited the privacy issues raised by the Google/DoubleClick merger, which have been highlighted by in an FTC complaint (pdf) by EPIC, CDD and US PIRG, and a letter (pdf) from the New York State Consumer Protection Board. The Article 29 Data Protection Working Party has launched an investigation (pdf) into Google's data retention policies. For more information see EPIC's page on Proposed Google/Doubleclick deal. (June 11)

EPIC Testifies on Worker ID System. In testimony (pdf) to the House Subcommittee on Social Security, EPIC Executive Director Marc Rotenberg urged that the Subcommittee to strengthen privacy safeguards associated with national employment eligibility verification systems proposed in House and Senate bills. He said the systems "contain significant weaknesses that should be remedied prior to" imposing the verification systems on the 143.6 million authorized workers nationwide. "As currently planned, these systems greatly diminish employee privacy and make personal information vulnerable to theft and misuse. The proposed verification systems would also grant to the federal government unprecedented control over the livelihoods of American citizens." For more information, see EPIC's Spotlight on Surveillance for May 2007 concerning employment eligibility verification systems. (June 7)

Privacy Groups File Amended Complaint with FTC Regarding Google/DoubleClick Merger. EPIC, CDD, and US PIRG today filed a supplement (pdf) to the groups' original complaint (pdf) with the Federal Trade Commission (FTC) concerning the Google/DoubleClick merger. The new complaint explains the need for the FTC to consider consumer privacy interests in the context of a merger review involving the Internet's largest search profiling company and the Internet's largest targeted advertising company. The complaint provides additional evidence about Google and DoubleClick's business practices that fail to comply with generally accepted privacy safeguards, and proposes further steps that the Commission should take if the merger is to be approved. For more information see EPIC's page on Proposed Google/Doubleclick deal. (June 6)

SEC Filing Reveals Google Subject to "Second Request" - Challenge, Order or Modification to Acquistion of Doubleclick Under Consideration. A recent filing with the Security and Exchange Commission indicates that the FTC has "issued a request for additional information and documentary materials regarding the proposed acquisition" of Doubleclick. According to FTC Chair Majoras's statement on the merger review process, "the majority of investigations in which the FTC issued a second request resulted in a merger challenge, consent order, or modification to the transaction, suggesting that the FTC generally issues second requests only when there is a strong possibility that some aspect of the investigation would violate the antitrust laws." For more information see EPIC's page on Proposed Google/Doubleclick deal. (May 30)

European Privacy Agency Opens Investigation Into Google. The Article 29 Data Protection Working Party has launched an investigation (pdf) into Google's privacy practices and specifically its retention of personal information. The Working Party has asked Google whether the company has "fulfilled all the necessary requirements" to abide by EU privacy rules. European Justice Commissioner Franco Frattini is backing the investigation. Last month EPIC filed a complaint (pdf) at the Federal Trade Commission recommending that that Commission block Google's proposed acquisition of online advertising company DoubleClick. EPIC said that Google has failed to establish basic privacy safeguards. The New York State Consumer Protection Board has also recommended that that merger be blocked. See EPIC's page on Proposed Google/DoubleClick Deal. (May 25)

Senators Leahy and Specter Press Attorney General for Details of Domestic Spying Program.In a letter to Attorney General Alberto Gonzales, Sen. Patrick Leahy andSen. Arlen Specter are seeking the legal justifications for the President'swarrantless domestic spying program. Senate Judiciary Committee Chairman Leahy and Ranking Member Specter wrote that the Attorney General has"rebuffed all requests for documents and your answers to our questions have been wholly inadequate and, at times, misleading." The senators said that the testimony (pdf) of former Deputy Attorney General James Comey, which indicated that the White House went forward with the warrantless spying even though top officials at the Department of Justice believed the program was illegal, "raises very serious questions about your personal behavior and commitment to the rule of law." EPIC is seeking similar documents in a case currently pending in federal court. See EPIC's pages on FISA and the EPIC v. DOJ case. (May 24)

In Court Filing, EPIC Urges Release of Documents Concerning the NSA Surveillance Program. In papers (pdf) filed in Washington, DC, today, EPIC, the American Civil Liberties Union, and the National Security Archive urged a federal district court to require the Justice Department to disclose documents about the NSA Domestic Surveillance program. The motion follows the testimony (pdf) of former Deputy Attorney General James Comey before the Senate Judiciary Committee that indicated that top officials at the Department of Justice believed that the program was illegal. EPIC first sought documents regarding the legal basis for the program just hours after the warrantless surveillance program was first reported in the New York Times in December 2005. For more information, see EPIC v. DOJ page. (May 23)

GAO Report: Customs Agency's Data Collection Violates Privacy Laws.Customs and Border Protection is violating privacy laws in its data collection practices, the Government Accountability Office reported (pdf) today. The GAO said that the current passenger prescreening process does not comply with the Privacy Act of 1974 and the E-Government Act of 2002. Customs "has not fully disclosed or assessed the privacy impacts of its use of personal information during international passenger prescreening as required by law," the GAO said. EPIC has repeatedly urged that the federal privacy laws be fully applied to all passenger prescreening programs. "The lack of enforcement of Privacy Act obligations means that individuals are not given the opportunity to inspect, correct or limit the dissemination of inaccurate information," and this lack of transparency leads to security resources being wasted on innocent travelers who are misidentified as criminal suspects, EPIC said. For more information, see EPIC's Secure Flight and the November 2006 Spotlight on Surveillance on redress procedures for travelers. (May 16)

9/11 Commission Leaders Press President's Civil Liberties Board on Domestic Surveillance Program. Governor Tom Kean and Lee Hamilton, former Chair and Vice Chair of the 9/11 Commission, sent a letter to the President's Privacy and Civil Liberties Oversight Board in response to the first annual report from the Board. The Kean and Hamilton letter begins with the question "What civil liberties have been specifically protected or enhanced by your actions?" The letter also raises questions about the President's domestic surveillance program, the watch list problems, and the misuse of National Security Letter authority. EPIC testified before the 9/11 Commission on the importance of effective oversight and has published a paper on the need to reform the Privacy board. More information at EPIC's 9/11 Commission page. (May 9)

New York State Consumer Protection Board endorses EPIC's Google/DoubleClick Complaint. The New York State Consumer Protection Board has sent a letter to the Federal Trade Commission (FTC) endorsing EPIC's recent complaint to the FTC regarding the privacy implications of the Google/DoubleClick merger. The Board expressed its concern that the merger of these two companies would create "super-profiles" of users, exposing consumers to the risk of disclosure of their data to third-parties, as well as public disclosure as evidence in litigation or through data breaches. The Board urged the FTC to halt the merger until it has fully investigated Google's planned use of DoubleClick's data post-merger. For more information on the proposed merger, visit EPIC's FTC Google Complaint page. (May 9)

DHS Receives More Than 12,000 Comments on REAL ID Draft Regulations. The Department of Homeland Security has received more than 12,000 comments on its draft implementation regulations for the REAL ID Act, even though the comment process was marked with problems. REAL ID faces considerable opposition by the public, the States and in Congress. More than 60 organizations and 215 blogs joined a campaign against the national identification system. Washington (pdf) and Montana (pdf) have opt-outed of REAL ID completely. Arkansas (pdf), Colorado (pdf), Hawaii, Idaho, Maine, and North Dakota have passed resolutions opposing REAL ID. At a Senate Judiciary Committee hearing yesterday, Chairman Patrick Leahy said, "The days of Congress rubber-stamping any and every idea cooked up by this administration are over." See EPIC's National ID Cards and REAL ID Act page and the Stop REAL ID Campaign. (May 9)

Technology and Legal Experts Urge Homeland Security to Withdraw REAL ID Proposal, Senate to Hold Hearings as DHS Privacy Committee Organizes Hastily Planned Town Hall Meeting. Twenty-two technology experts and legal scholars will submit comments to the Department of Homeland Security warning the federal agency not to go forward with the Real ID proposal. The experts say that the plan will create new security risks for the American public. Homeland Security privacy advisory committee for the agency is meeting today in Arlington, Virginia. The Senate Judiciary Committee has scheduled a hearing on "Will REAL ID Actually Make Us Safer? An Examination of Privacy and Civil Liberties Concerns" for May 8. Security expert Bruce Schneier will testify. More information at EPIC's National ID Cards and REAL ID Act Page. Take action by 5 pm on May 8. (May 7)

Electronic Surveillance Continues to Increase. According to the 2006 wiretap report (pdf) issued by the Administration Office of United States Courts, state and federal courts authorized 1,839 interceptions of wire, oral, and electronic communications in 2006, an increase of four percent over the 1,773 orders issued in 2005. No applications for wiretap authorizations were denied in 2006. Eighty percent of all wiretap applications cited a drug offense as the most serious offense under investigation. Last week, the Office of the Assistant Attorney General reported (pdf) the Government's applications to the Foreign Intelligence Surveillance Court (FISC) in 2006 to Congress. The Government made 2,181 secret surveillance requests in 2006, a record high. Of the 2,181 applications submitted, five were withdrawn by the government prior to a FISC ruling, and the Court made "substantive modifications" to 73 of the applications. FISC denied only one application in part in 2006. For more information, see EPIC's Wiretap and FISA pages. (May 4)

UPDATE: More Than 50 Groups Join Anti-National ID Campaign. A number of groups, including the Coalition Against Prosecutorial Abuse and Asian American Legal Defense and Education Fund, have joined a campaign against REAL ID. Fifty-four groups are urging the public to submit comments against the illegal national identification system created by the Department of Homeland Security under the REAL ID program. DHS seeks to create a massive system filled with sensitive personal data on 240 million license and ID cardholders nationwide, yet has failed to include adequate privacy and security safeguards. To take action and submit comments against this fundamentally flawed national identification scheme, visit the Stop REAL ID Campaign and EPIC's National ID Cards and REAL ID Act page. (May 3)

EPIC Urges Court Review of Surveillance Program. EPIC, in cooperation with the Stanford Constitutional Law Center, filed a "friend-of-the-court" brief (pdf) in "Hepting v. AT&T." This lawsuit alleges that AT&T allowed the government to wiretap calls and e-mails without judicial authority. The U.S. government and AT&T seek to dismiss this case. The EPIC brief states, "The statutes and constitutional provisions relied upon in the complaint are designed to interpose the courts between citizens and the government when government conducts surveillance that it naturally would prefer to conduct in secret and wholly at its own discretion . . . . This litigation should thus proceed, lest the privacy claims here be made effectively unreviewable." For more information, see EPIC's Resources on Domestic Surveillance, Spotlight on Surveillance on the NSA Program, and page on Hepting v. AT&T. (May 3)

Forty-Three Groups Join Campaign to Stop REAL ID. EPIC joins 42 groups, including the American Library Association and Common Cause, today in a campaign against the illegal national identification system created by the Department of Homeland Security under the REAL ID program. The national campaign solicits public comments to stop a national ID scheme without adequate privacy and security safeguards; which will make it more difficult for people to get driver's licenses; and which will make it too easy for identity thieves, stalkers, and corrupt government officials to get access to the personal data of 245 million individuals. The draft regulations to implement the REAL ID Act are open for comment until 5 p.m. EST on May 8, 2007. To take action and submit comments against the fundamentally flawed national identification scheme, visit the Stop REAL ID Campaign and EPIC's National ID Cards and REAL ID Act page. (May 1)

EPIC Recommends Better Notification and Strong Privacy Safeguards for Security Breach Investigations. In comments (pdf) to the Federal Trade Commission today, EPIC urged the FTC to limit the disclosure of personal information related to security breach investigations. EPIC said that the Privacy Act exemption sought by the Commission was far too broad. EPIC recommended that the FTC significantly narrow the exemption by "creat[ing] tiers of access, allowing specific categories of individuals limited access to the data, according to the needs of the investigation." EPIC also said that the Commission should notify individuals whose personal data may have been improperly disclosed in a security breach before other government agencies are notified. For more information, see EPIC's page on Identity Theft. (Apr. 30)

White House Privacy Board Releases First Report, Privacy Act Missing in Action. The President's Civil Liberties Oversight Board published its First Annual Report to Congress. The report lists various activities during the past year, but provides little insight as to the Board's position on such key issues as the President's domestic surveillance program, government watch lists, or the terrorist scoring that the Department of Homeland Security assigns to US citizens. A search for "Privacy Act," the primary federal law that safeguards the rights of Americans, produces 0 hits. EPIC has published a detailed report (pdf) recommending changes to the Board. Legislation that would reform the Board has passed in the Senate and the House. (Apr. 24)

White House ID Theft Report to be Released Today. Attorney General Gonzales and FTC Chairman Majoras will hold a press conference today to announce the release of the final report of President's Identity Theft Task Force. In January 2007, EPIC submitted comments to the Task Force that emphasized the need to establish better privacy and security practices to reduce the risk of identity theft, rather than simply expand law enforcement authority. EPIC criticized, "government and private agencies that collect and store excessive amounts of often unnecessary personal information in systems that lack adequate privacy and security safeguards." EPIC wrote, "The best long-term approach to the problem of identity theft is to minimize the collection of personal information and to develop alternative technologies and organizational practices." EPIC also recommended the adoption of privacy enhancing technologies, data minimization, and meaningful remedies when security breaches and privacy violations occur. See EPIC Identity Theft page. (Apr. 23)

EPIC Files Complaint With FTC Regarding Google/DoubleClick Merger. EPIC, CDD and US PIRG today filed a complaint (pdf) with the Federal Trade Commission (FTC), urging the Commission to open an investigation into the proposed acquisition. The groups urged the FTC to assess the ability of Google to record, analyze, track, and profile the activities of Internet users with data that is both personally identifiable and data that is not personally identifiable. The groups further urged the FTC to require Google to publicly present a plan to comply with well-established government and industry privacy standards such as the OECD Privacy Guidelines. Pending the resolution of these and other issues, EPIC encouraged the FTC to halt the acquisition. See EPIC's FTC Google Complaint page. (Apr. 20)

EPIC Brief Seeks to Protect Domestic Violence Victims. EPIC's filed an amicus brief (pdf) in a divorce discovery dispute, urging a district court to limit the release of cell phone records, following a ruling that the requesting party was a harasser. EPIC's brief identified the growing public policy that protects the privacy of telephone records, including the recent FCC Order (pdf) improving the protection of calling records. EPIC also highlighted privacy advances in the Violence Against Women Act of 2005, which added "placing under surveillance" to the definition of stalking. Lastly, EPIC urged the court to consider such privacy interests as security and use limitation. See EPIC's Domestic Violence and Privacy project. (Apr. 16)

Justice Department Proposes Vast Expansion of Domestic Surveillance. The Department of Justice has recommendedlegislation that would give the agency new authority to conduct surveillance within the United States under the Foreign Intelligence Surveillance Act. The proposal would also remove current obligations communications providers have to safeguard the privacy of customer information. The American Bar Association has recommended that, rather than expand FISA, the Congress should establish new safeguards that limit the administration's domestic spying program. More at EPIC FISA page and EPIC FISA Orders 1979-2005 page. (Apr. 13)

Following EPIC Recommendations, FCC Establishes New Consumer Privacy Safeguards. In response to a petition filed by EPIC, the FCCissued rules to protect the privacy of consumers' telephone records. The new safeguards prohibit unauthorized access to phone records, require passwords for customer accounts, require notice of any changes to account information, and establish opt-in consent before disclosing customer information. FCC Chairman Martin called the unauthorized disclosure of customer information "a significant privacy invasion." While the rules include a requirement to notify customers of unauthorized disclosures of telephone records, law enforcement agencies can delay notification, a provision that was criticized by Commissioner Copps and Commissioner Adelstein. The FCC also announced a new rulemaking to consider such issues as audit trails, data retention, and safeguards for information stored in cell phones. For more information, see EPIC's Illegal Sale of Phone Records page. (Apr. 3)

EPIC Recommends Against Use of Universal Identifiers. In comments (pdf) to the Federal Trade Commission, EPIC warned against using universal identifiers, such as biometrics, in authentication systems. EPIC explained that a biometric identifier cannot be changed by a victim once his or her identity has been breached -- a fingerprint is unalterable. "Any move toward universal identifiers, while potentially deterring amateur thieves, increases the potential for misuse once determined criminals steal that data," EPIC said. For more information, see EPIC's Biometrics page and National ID Cards and REAL ID Act page. (Mar. 23)

EPIC Appears Before Homeland Security Committee on REAL ID. At a Department of Homeland Security Data Privacy and Integrity Advisory Committee meeting today, EPIC and other groups explained the many security, financial and privacy costs created by the proposed regulations to implement the REAL ID Act (pdf). EPIC explained (pdf) that the ubiquity of licenses; mandate that only REAL ID cards will be used for federal purposes; and proposed universal design for non-REAL ID cards, add up to an atmosphere where people without such cards will be looked upon with suspicion. EPIC's Melissa Ngo said, "Critics of the REAL ID Act and proposed regulations have been labeled anti-security. It is not anti-security to reject a national identification system that does not add to our security protections." For more information, see EPIC's National ID Cards and REAL ID Act page. (Mar. 21)

EPIC Calls for Repeal of Misused Patriot Act Powers. In a letter to the Senate Judiciary Committee, EPIC recommended that Congress repeal the National Security Letter authority. National Security Letters permit the FBI to compel the disclosure of records held by banks, telephone companies, and others without judicial oversight. In 2005, EPIC uncovered documents concerning National Security Letters which revealed violations of law reported to the Intelligence Oversight Board. More recently, the Office of Inspector General reported serious misuse of the power at the FBI. See EPIC Patriot Act page. (Mar. 21).

EPIC Testifies in Congress on Combating Pretexting. In testimony (pdf) before the House Energy and Commerce Committee, EPIC Executive Director Marc Rotenberg expressed support for H.R. 936, the Prevention of Fraudulent Access to Phone Records Act. The Act would increase privacy protections for phone records. In August 2005, EPIC petitioned the FCC to establish stronger security standard for telephone records. The FCC endorsed (pdf) EPIC's petition in February 2006, but more than a year later, there are still no clear standards for telephone record privacy. For more information, see EPIC's Phone Records Privacy page. (Mar. 9)

State Department Issues Annual Human Rights Report. The U.S. State Department has just released its annual human rights report. The report, spanning over 1,800 pages and over 180 countries, describes the performance of governments in putting into practice their international commitments on human rights reflected in the United Nations Universal Declaration of Human Rights. Each country report includes a section on privacy, which is addressed mainly in the context of Internet censorship, access and surveillance. Although the introduction acknowledges that the report was released at a time when the United States' own record and actions have been questioned, the report does not include a section on U.S. human rights performance. For more information, see EPIC's Privacy and Human Rights Report 2005. (Mar. 9)

Report Finds FBI Misused PATRIOT Act Powers. The Department of Justice Inspector General has determined that the FBI abused the National Security Letter authority established by the Patriot Act. With a National Security Letter, the FBI can demand information from companies and individuals without any court approval. The Inspector General found unreported violations of law in 22% of the cases examined and also that the FBI did not report the actual number of Security Letters to Congress as required by law. The FBI acknowledged today that there has been "inadequate auditing and oversight" of National Security Letter authority. In 2006, EPIC recommended that Congress investigate abuses in FBI intelligence gathering and recommended improved reporting requirements for National Security Letters. More information at EPIC Patriot Act page. (Mar. 9)

EPIC Opposes New ID Requirements for Voters. More than two years after Congress rushed through passage of the REAL ID Act (pdf), the Department of Homeland Security announced today proposed regulations (pdf) that would turn the state driver's license into a national identity card. The estimated cost of the plan exceeds $11 billion and the national ID system will increase security risks (pdf) as well as the threats to personal privacy. The agency also released a Privacy Impact Assessment (pdf). Proposals to repeal Real ID have been adopted in the states and introduced in Congress. For more information, see EPIC's National ID Cards and REAL ID Act page. (Mar. 1)

After Long Delay, Homeland Security Department Issues Regulations for Flawed National ID Plan. More than two years after Congress rushed through passage of the REAL ID Act (pdf), the Department of Homeland Security announced today proposed regulations (pdf) that would turn the state driver's license into a national identity card. The estimated cost of the plan exceeds $11 billion and the national ID system will increase security risks (pdf) as well as the threats to personal privacy. The agency also released a Privacy Impact Assessment (pdf). Proposals to repeal Real ID have been adopted in the states and introduced in Congress. For more information, see EPIC's National ID Cards and REAL ID Act page. (Mar. 1)

Homeland Security Drops RFID from US-VISIT Documents. The Department of Homeland Security announced (pdf) it has abandoned plans to use radio frequency identification (RFID) technology in the US-VISIT border security system after pilot testing failed. Last month, a government report (pdf) identified numerous performance and reliability problems in the 15-month test. The report said that RFID failed to "meet a key goal of US-VISIT -- ensuring that visitors who enter the country are the same ones who leave." EPIC repeatedly criticized (pdf) the flawed proposal to embed RFID tags in travel documents, citing the plan's lack of basic privacy and security safeguards. For more information, see EPIC's US-VISIT page. (Feb. 26)

Secure Flight Delayed Until 2010.Implementation of Secure Flight, a federal passenger screening program, will be delayed until 2010, at least five years behind schedule, according to the Transportation Security Administration. Secure Flight was suspended a year ago after two government reports detailed security and privacy problems. One report (pdf) found 144 security vulnerabilities. About $140 million has been spent on the program, and the TSA is seeking another another $80 million for proposed changes. For more information, see EPIC's page on Secure Flight. (Feb. 23)

EPIC Recommends Privacy Safeguards for Traveler Screening Program. In comments (pdf) to the Department of Homeland Security, EPIC urged the agency to fully apply Privacy Act requirements of notice, access, and correction to the new traveler redress programand the underlying watch list system. Instead of following the Privacy Act, the agency is asking the public to rely on its"internal quality assurance procedures." EPIC explained that these procedures aren't working and cited a government report (pdf) that found significant problems with the handling of personal information and violations of privacy laws by DHS. Tens of thousands of people have applied for redress after being mistakenly matched as federal officials have struggled to trim the bloated watch lists. For more information, see EPIC's page on Passenger Profiling. (Feb. 20)

EPIC Warns Maryland Senate of REAL ID's Security Risks. At a public hearing of the Maryland Senate, EPIC's Melissa Ngo explained that the privacy and security risks of the REAL ID Act remain unresolved. She also pointed to the adverse impact on victims of domestic violence. The federal legislation would create a national database with the personal data of 245 million license and state ID cardholders, yet there is still no plan for adequate privacy and security safeguards. This would leave sensitive data at risk for identity theft, misuse or abuse. EPIC expressed support for a Maryland bill calling for repeal of the REAL ID Act. For more information, see EPIC's National ID Cards and REAL ID Act page. (Feb. 15)

FTC Reports that Identity Theft Again Tops List of Consumer Complaints. The annual report (pdf) by the Federal Trade Commission finds identity theft complaints, for the seventh year in a row, the number one concern of US consumers, accounting for 36 percent of the 674,354 complaints received. According to the FTC, Credit card fraud (25 percent) was the most common form of reported identity theft, followed by phone or utilities fraud (16 percent), bank fraud (16 percent), and employment fraud (14 percent). In Spanish. The FTC report appears to repudiate an industry-funded study that suggested a decline in identity theft. (Feb. 8)

Personal Data Privacy and Security Act Introduced in Senate. Senators Leahy and Specter introduced the Personal Data Privacy and Security Act of 2007 (S. 495). The bill, which is similar to a bill introduced in 2005, requires government and commercial entities to ensure that the personal data they collect is protected by adequate security. Commercial data brokers must provide access and correction to the personal information that they hold, and are required to provide notification when they experience a breach involving sensitive personal data. For more information, see EPIC's Choicepoint page. (Feb. 7)

Accountability Office Criticizes Federal Agency Over Security of Health Data. In a report issued on February 1, the US Government Accountability Office criticized the Department of Health and Human Services (HHS) for issuing contracts to develop initiatives for health information technology records-sharing without setting up adequate privacy guidelines. The report recommends that HHS "define and implement an overall privacy approach that identifies milestones for integrating the outcomes of its initiatives, ensures that key privacy principles are fully addressed, and addresses challenges associated with the nationwide exchange of health information." For more information, see the EPIC page on Medical Privacy. (Feb. 6)

EPIC Joins Civil Liberties Brief in Newsletter Subscriber Privacy Case. EPIC has joined six civil liberties groups in a "friend of the court" brief (pdf) in Forensic Advisors, Inc. v. Matrixx Initiatives, Inc., which is currently before the highest court in Maryland. In this case, pharmaceutical company Matrixx is attempting to force a newsletter publisher to disclose his subscriber list in connection with a lawsuit filed against unidentified people who posted derogatory comments about the company online. The brief argues that the subscriber list is protected under the First Amendment, since disclosure of the list would deter readership and violate constitutionally established privacy rights. EPIC previously joined a "friend of the court" brief (pdf) for the case when it was before a lower state court. (Feb. 1)

White House to Release Documents Detailing Secret Spy Program. The Department of Justice will turn over secret documents detailing the government's domestic spying program, Attorney General Alberto Gonzales said today. The documents from the Foreign Intelligence Surveillance Court -- including investigators' applications for permission to eavesdrop and judges' orders -- will be given to Senate Judiciary Chairman Patrick Leahy and Ranking Member Arlen Specter. At a committee hearing two weeks ago, senators criticized Gonzales for refusing to release the documents even though the FISA Court's presiding judge had no objections to making them available to lawmakers who have been cleared to receive details about program. For more information, see the EPIC Feature: Resources on Domestic Surveillance and the EPIC Privacy Law Sourcebook. (Jan. 31)

Privacy Coalition Holds 13th Annual Meeting. On January 25-27, 2007 the Privacy Coalition held its annual meeting in Washington, DC to review the lead privacy issues from 2006, and plan the privacy agenda for the year. The Coalition is comprised of local, state, and national privacy, civil rights, consumer protection, and civil liberties organizations. More than 50 organizations participated in the meeting. Rep. Maxine Waters gave a keynote speech. (Jan. 29)

Maine Lawmakers Refuse to Implement REAL ID Act. The Maine House and Senate registered nearly unanimous opposition today to the federal REAL ID Act (pdf), which mandates federal requirements for state driver's licenses and requires state DMVs to verify identification documents, such as birth certificates. The state legislature passed a resolution stating that the "Maine State Legislature refuses to implement the REAL ID Act and thereby protest the treatment by Congress and the President of the states as agents of the federal government." The resolution also asks Congress to repeal the law. Sen. Daniel Akaka (D-HI) and Sen. John Sununu (R-NH) introduced legislation on December 8 to repeal REAL ID and replace it with language that includes strong security and privacy protections. For more information, see EPIC's National ID Cards and REAL ID Act page. (Jan. 25)

President Urges Passage of Genetic Privacy Bill. In a statement at the National Institutes of Health this week, President Bush called on Congress to pass legislation to protect genetic privacy, so that "medical research can go forward without an individual fearing personal discrimination." A genetic privacy bill, which passed the Senate in 2003 but died in the House, was reintroduced in the House on January 16. The bill seeks to establish a national standard to prohibit genetic discrimination by health insurance providers and employers. Under the bill, these entities cannot require genetic testing, cannot determine premiums or eligibility for insurance or employment based on genetic information, and are limited in their collection and use of genetic information. More at the EPIC Genetic Privacy page. (Jan. 18)

Bush 'Signing Statement' May Allow Warrantless Search of Mail. When President Bush signed the Postal Accountability and Enhancement Act, he included a 'signing statement' that may give the government the power to open citizens' mail without a warrant. Under the law, the government must get warrants to open first-class letters, but in the signing statement, Bush said he would construe the provision, "in a manner consistent, to the maximum extent permissible, with the need to conduct searches in exigent circumstances," which Bush defined as protecting against hazardous materials and "the need for physical searches specifically authorized by law for foreign intelligence collection." President Bush has issued at least 750 signing statements, more than all other presidents combined, according to the American Bar Association. (Jan. 8)

EPIC Urges State Dept. to Drop Plan for Flawed ID System. In comments (pdf) to the State Department, EPIC warned that a proposed "PASS card" for travel between the United States, Canada, Mexico, and the Caribbean would jeopardize the privacy and security of US travelers. The PASS card is based on long-range wireless technology, "vicinity" RFID, that would enable remote tracking of individuals. The card also lacks basic access controls and security features that were eventually incorporated in the electronic passport. For more information, see EPIC's RFID page and August 2006 Spotlight on Surveillance. (Jan. 8)